More in this section

Forums / General Discussions / authenticate user without logging them on

authenticate user without logging them on

14 posts, 1 answered
  1. Phil
    Phil avatar
    89 posts
    Registered:
    19 Oct 2010
    16 Sep 2011
    Link to this post
    We need to authenticate a user with out logging them on.
    It looks like the SecurityManager.AuthenticateUser all log on the user-that-the-method-authenticates.

    What method can we use to authenticate a uid and pwd without logging that user on?

    Thanks
  2. Phil
    Phil avatar
    89 posts
    Registered:
    19 Oct 2010
    19 Sep 2011
    Link to this post
    2nd request

    btw, we tried UserManager.GetPassword Method (String, String)  but our pwds are hashed so we cant use that.

    Any ideas on how we can authenticate a user w o logging them in?
  3. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    30 Oct 2017
    21 Sep 2011
    Link to this post
    Hi Phil,

    That's a tough one, unfortunately there is no way to have a user being authenticated but not being logged in - there's a simple logic behind that: isf you have a user who is authenticated, he will count as a backend user, so he can access the site backend. In this line of reasoning using SecurityManager.AuthenticateUser() will automatically register the cookie for your successful authentication and count the user as logged in. Can you please let us know of the exact use case scenario you are trying to implement, maybe we can come up with a workaround for this?

    Greetings,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  4. Phil
    Phil avatar
    89 posts
    Registered:
    19 Oct 2010
    21 Sep 2011
    Link to this post
    Neither of the users that are involved in this use case are backend users.

    The logged in user is a student.  They are taking lessons on line.  We have a widget in the page that has the answers to the students questions in it.  The answers are hidden but become visible if the student's guide (usually a parent) enters their (the guides) uid and pwd.

    So we send the uid and pwd, that the guide enters, to a webservice where we want to verify that these are valid credentials.  If the credentials are valid we display the answers.  We want the student to stayed logged on though

    btw, we tried UserManager.GetPassword Method (String, String)  but our pwds are hashed so we cant use that
    .
  5. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    30 Oct 2017
    22 Sep 2011
    Link to this post
    Hi Phil,

    If the users do not belong to the backend users role, then they should not count towards the online backend users limitation of Sitefinity. In other words, you can use the built in functionality to authenticate your users and display the results only if the user is authenticated, since if they are not BackendUsers, they do not have permissions to view the site's backend.

    Kind regards,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  6. Phil
    Phil avatar
    89 posts
    Registered:
    19 Oct 2010
    22 Sep 2011
    Link to this post
    You wrote "In other words, you can use the built in functionality to authenticate your users and display the [ answer key widget's ] results"

    What method(s) are you referring to when you say, "built in functionality"?  We have tried AuthenticateUser() and it logs the current user off - in our case, the student.

    So, when neither of the users in our use case are backend users, what method(s) can we use to authenticate a user (the guide in our use case) without logging our student off?

    Thanks
  7. Eric
    Eric avatar
    147 posts
    Registered:
    12 Nov 2007
    23 Sep 2011
    Link to this post
    It's not great, but you can get the user by their username and compare the hashed password in the database with the password they enter (after you hash it by hand).
  8. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    30 Oct 2017
    23 Sep 2011
    Link to this post
    Hello Eric,

    By the built in functionality I meant to configure widget permissions, so that the results can be visible only to a certain role (in other words to split the answers into a different widget, that can be dropped onto the page, and set its permissions as per the suggestion above).


    Greetings,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  9. Phil
    Phil avatar
    89 posts
    Registered:
    19 Oct 2010
    23 Sep 2011
    Link to this post
    uh, it wasn't Eric w the question it was me.  :-) 

    Anyway.  I understand what you are saying about making the answers a separate widget.  Thanks.  But I can't just make the answers available to any guide.

    So, I think your recommendation leaves me w the same problem:  I still have to ask the guide for their credentials and I still have to authenticate those credentials, and, so far, I haven't found anyway to authenticate the guide's credentials w o logging the student off.

    So, when neither of the users in our use case are backend users, what method(s) can we use to authenticate a user (the guide in our use case) without logging our student off?
  10. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    30 Oct 2017
    23 Sep 2011
    Link to this post
    Hello Phil,

    I'm sorry about the confusion with the names. Just to make sure we're on the same track here, are you trying to authenticate the guide in the same browser where the student is already logged in? If that's the case, unfortunately there's no way for this functionality to work, as the authentication cookie is persisted in the browser, so in order to authenticate the other user, and persist the cookie, it will need to replace the first user(student)'s cookie. However, this should work without problems when using two different browsers on the same machine. Looking forwards to your reply.

    Kind regards,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  11. Phil
    Phil avatar
    89 posts
    Registered:
    19 Oct 2010
    23 Sep 2011
    Link to this post
    Thanks for the quick reply.  Crystal clear - re the browser, the cookie, etc.

    How about this:  we send the guide's uid and pwd to a web service (that we write).  In the web service we authenticate the credentials and send return Authenticated or NotAuthenticated.  The idea beiing that we are isolating the AuthenticateUser() method in another thread.

    Is this approach improved if the web service is on another machine - a machine other than our web server?

  12. Eric
    Eric avatar
    147 posts
    Registered:
    12 Nov 2007
    23 Sep 2011
    Link to this post
    This is what I was thinking. You'd have to fill in the guts of the HashedPassword function. I could send you the function, I just wasn't sure it'd be proper to post it. This code would authenticate the user without logging them in (or logging anyone out).

    protected void btnAuthenticate_Click(object sender, EventArgs e)
    {
        if (AuthenticateUser(txtUsername.Text, txtPassword.Text))
            ShowAnswers();
    }
     
    private bool AuthenticateUser(string username, string password)
    {
        User user = UserManager.GetManager().GetUser(username);
        return user != null && user.Password == HashedPassword(password, user.Salt));
    }
     
    private string HashedPassword(string plaintext, string salt)
    {
        ...
    }
  13. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    30 Oct 2017
    23 Sep 2011
    Link to this post
    Hello Phil and Eric,

    I'm not quite sure whether this approach will work out for you guys, I mean it solves the multi threading not being allowed problem, however a call to Login() will be made eventually, when using AuthenticateUser(). However, if I got Phil's use case scenario properly, it looks like he just needs to perform a check whether the entered credentials are valid, in order to display the results (in other words, you don't actually need to have the user as a logged in user, you want to perform a username/password check). Please do not hesitate to correct me if I'm wrong in assuming the previous statement, but if that's the desired functionality, wouldn't ValidateUser() serve you better?

    Kind regards,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
    Answered
  14. Phil
    Phil avatar
    89 posts
    Registered:
    19 Oct 2010
    23 Sep 2011
    Link to this post
    There it is.  Thanks.

    We were in the SecurityManager namespace using SecurityManager.AuthenticateUser(-overloads-)

    and didn't see  UserManager.ValidateUser(userName, userPwd)

    Thanks again.
14 posts, 1 answered